Security groups

Security groups control ingress traffic to VMs and networks on NAT-backed overlays. Rules are rendered as nftables chains on each node.

YAML manifest

kind: SecurityGroup
metadata:
  name: expose-nginx
spec:
  rules:
    - protocol: tcp
      hostPort: 8080
      targetPort: 80
      sourceCidr: "0.0.0.0/0"
      enableDnat: true
  attachments:
    - kind: vm
      target: web-01

Rules

Field	Description
`protocol`	`tcp` or `udp`
`hostPort`	Port exposed on the host
`targetPort`	Port inside the VM (optional, defaults to `hostPort`)
`sourceCidr`	Allowed source CIDR (default `0.0.0.0/0`)
`targetVm`	Optional — restrict rule to a specific VM
`enableDnat`	Enable DNAT from host port to VM private IP

Attachments

Each attachment binds the security group to a workload:

kind: vm — target is the VM name.
kind: network — target is the network name and targetNode is required.

CLI operations

# Create a security group from a manifest
kctl sg create -f sg.yaml

# Reconcile (create-or-update)
kctl sg apply -f sg.yaml

# List all security groups
kctl sg list

# Get details for a single security group
kctl sg get <name>

# Delete a security group
kctl sg delete <name>

# Attach a security group to a VM
kctl sg attach --name <sg> --kind vm --target <vm>

# Detach a security group
kctl sg detach --name <sg> --kind vm --target <vm>

Data plane

The controller resolves security-group rules to Nix configuration at ch-vm.vms.networks.<name>.securityGroupRules. Rules are applied as nftables rules in the NAT pipeline on each affected node.

Apply via kctl apply

kctl apply -f sg.yaml

kctl apply auto-detects kind: SecurityGroup and routes to the security group handler.